06. SmartWAN Portal
This is a guide for users to use the security operating center portal of OpenSASE/XDR.
Authentication
SmartWAN Portal Login
When you access the SmartWAN Portal, you will encounter the login screen as shown in the image below. This screen allows users to authenticate and access the portal's features.
- Email Address or ID: A field where users enter their registered email address or ID (e.g., "Enter your registered email address or ID").
- Password: A field for entering the user’s password (e.g., "Enter your password"), with a visibility toggle icon to show or hide the password.
Additional Authentication Options
- Top-right corner of the screen.
By clicking the "⋮" (three dots) icon in the top-right corner, users can access a detailed menu related to user authentication. This menu provides additional options for managing login settings or troubleshooting access issues.
- Verify Registered Email Address or ID: Allows users to verify their registered email address or ID to ensure they are using the correct credentials for login.
- Reset Password: Provides an option for users to reset their password if they have forgotten it or need to update it for security reasons.
- Request an Account: Enables new users to request an account if they do not already have one, initiating the account creation process.
Some features described above are currently in the prototype stage and are scheduled for future implementation.
Verification Registered Email Address of ID
- QR Code: A QR code is displayed for users to scan with a device that has a registered PassKey, enabling secure verification.
- Verify with Phone Number Button: An alternative "Verify with Phone Number" button is provided for users whose devices do not have a registered PassKey.
ResetPassword
- QR Code: A QR code is displayed for users to scan with a device that has a registered PassKey, enabling secure verification prior to password reset.
- Verify with Phone Number Button: An alternative "Verify with Phone Number" button is provided for users whose devices do not have a registered PassKey.
Request an Account
After selecting the "Request an Account" option from the "Additional Login Services Menu" on the SmartWAN Portal, users are directed to the following screen to verify their identity before resetting their password.
PassKey Verification:
- QR Code: A QR code is displayed for users to scan with a device that has a registered PassKey, enabling secure verification prior to request an account.
Alternative Option:
- Verify with Phone Number Button: An alternative "Verify with Phone Number" button is provided for users whose devices do not have a registered PassKey.
- PassKey-verified phone number: Displays a pre-filled, non-editable phone number associated with the PassKey.
- Email Address: A field to enter the user’s email address (e.g., "markov01@markov.com"), with a "Check Availability" button to verify if the email is available (status: "Email address is available for use").
- User Name: A field to enter the user’s name
User Information and Notifications
Real-time Alerts
If any alerts need to be provided to the user, an alert message will be displayed on the left side of the screen in real time.
Assigned Case Notification
Logout
You can log out by clicking the log-out button in the user information.
Dashboard
Getting Started
Logging In with an Accessible User Account
To begin, log in using a user account with access privileges.
You can find more options for user authentication.
This guide is based on SKT’s SmartWAN Portal. Updates will be continuously applied to reflect future changes.
Pre-Configured Dashboards
Currently, the dashboards are configured for the monitoring purposes of SKT’s agency SmartWAN system.
Event Dashboard (under development)
- Purpose: Provides a centralized view of security and network event data, enabling users to monitor and manage incidents effectively.
- Data Sources: Integrates information from multiple origins, including agents, agentless systems, and external feeds.
- Key Information: Displays summaries of event counts, severity levels, and current statuses to facilitate quick decision-making.
Agency Dashboard
- Agency monitoring
- System monitoring
Agency monitoring
Map View
Event levels are defined by SKT's requirements.
Agency List
When a specific region is selected in the Map View, the dashboard displays a list of agencies registered in that region, along with detailed information on the Network Status (CPE) and Security Status (SDP) for each agency.
- Agency List: A comprehensive roster of agencies within the selected region.
- Network Status (CPE): Provides the current operational status of the Customer Premises Equipment for eacßh agency.
- Security Status (SDP): Details the security posture, including Software-Defined Perimeter (SDP) metrics, for each agency.
View details of the agency
To access an agency's detailed information:
-
Go to the Agency List in the dashboard
-
Click the desired agency name
-
The system will load the detailed agency view
Network View
This view provides a granular view of both network performance and security status for the selected agency. Users can toggle between Network View and Security View to access specific metrics.
The dashboard is divided into two main tabs:
-
Network View: Displays real-time CPE status and network performance.
-
Security View: Shows security-related alerts and SDP metrics (if applicable).
Displays hardware and connectivity details:
-
CPE ID/Name/Model: Identifies the device.
-
High Availability: Indicates redundancy status ( Enabled / Disabled).
-
CPE Status:
-
Active: Normal operation.
-
Degraded: Performance issues detected.
-
Inactive: Connection lost.
-
-
Connected Data Centers: Primary (Seoul) and Secondary (Daejeon) links.
Network Performance Metrics data(Live) for troubleshooting:
-
CPU/RAM/Disk: Resource usage (% or GB).
-
Latency/Jitter: Measured in milliseconds (ms).
-
Packet Loss (TX/RX): Percentage of lost data packets.
Lists recent events with types and levels:
| Column | Description | Example |
|---|---|---|
| Type | Event category (Network/Security). | Network |
| Event | Description of the issue. | CPE ETH0 Link Down |
| Level | Severity: Info, High, Critical. |
Critical |
| Time | Timestamp (HH:MM:SS.milliseconds). | 16:13:31.00256 |
Security View
This view provides comprehensive monitoring and management capabilities for the selected agency, displaying real-time network status, user information, security events, and service connectivity. The interface is divided into multiple sections for efficient administration.
User Management Section
- User List
-
Displays all registered users (currently 3 users) with:
-
ID: Unique user identifier (e.g.,
mskimos3) -
Name: Full name of the user (e.g.,
Minsco.ftm) -
Email: Associated email address (e.g.,
mskim.ios8@tworld.com) -
Lock Status: 💬 indicates an active session (no lock applied).
-
-
- User Detail
-
Expands on selected user profiles with:
-
Department/Role: Organizational hierarchy (e.g.,
Solution Development > Developer). -
Contact: Email (
tworld_win@tworld.com) and phone (010-5587-1154). -
Device List: Managed devices linked to the user (e.g.,
SDP Routerwith OS details).
-
-
Agency Policy & Configuration
- Connected CPE
-
Hardware details of the Customer Premises Equipment:
-
CPE ID/IP: Unique identifiers for the network device.
-
CPE Name: Label for easy recognition.
-
-
- Mandatory Processes
-
Critical processes are monitored by type, name, and operating system.
-
Security Monitoring
- Security Events Table
-
Lists real-time security incidents with:
-
Type/Name: Event description (e.g.,
Blocked access to ransomware sites). -
Level: Severity (
Critical,High). -
Time: Precise timestamp (e.g.,
16:13:01.0025).
-
-
- Example Events:
-
Critical: Ransomware detection, essential process violations. -
High: Blocked access to malicious domains, outdated OS alerts.
-
Agency Groups
The Agency Group section provides a summary of agency counts per region and detailed status information for CPE.
- Region-Based Counts: Displays the total number of agencies in each region.
- CPE Status Info: Offers insights into the operational status of CPE devices across the agencies
Event List
- Type: Indicates the category of the event (e.g., sdp-audit, Security).
- Event Name: Specifies the event description (e.g., NdpPerformance, Hardware State Check, ProcessCheck, or security-related messages like [JAMES] Blocked access to www…).
- Level: Denotes the severity of the event, categorized as Info, Minor, or Critical, Block.
- Time: Shows the timestamp of the event in the format MM/DD HH:MM:SS.milliseconds (e.g., 03/30 16:13:00.025).
- sdp-audit events such as NdpPerformance and Hardware State Check with Info level.
- Security events like [JAMES] Access blocked: Rans… with Critical level or [JAMES] Android OS version is to… with High level.
System monitoring
SecureEdge point of presence
It shows SecureEdge's distributed architecture. The visual indicators show system statuses, and on the bottom, highlight critical/security events of the agency.
This monitoring supports SKT's internal operations only, providing real-time monitoring of their SecureEdge deployment through redundant controllers and gateways at each location.
Agency List
It's the same as the agency list in Agency Monitoring.
Events List
It's the same as the events list in Agency Monitoring.
Risk Scoring (under development)
This dashboard provides a consolidated view of network security compliance, threat protection status, and regulatory adherence for monitoring and reporting purposes.
The current visualization serves as a prototype. We will develop optimized data representation formats aligned with operational objectives during the implementation phase.
Detection & Response
Cases
The user can access the cases menu, which is under Detection & Response.
Case List
Key Features
- Filters and Search:
- Customer and Asset Selection: Dropdown menus at the top (e.g., "Select a customer," "Select an asset") to filter cases by specific customers or assets.
- Date Range: A date picker to filter cases within a specific time period (e.g., 2024/09/30 - 2024/10/30).
- Advanced Search: A button on the right to access advanced search options for more granular filtering.
- Case Summary:
- Displays the total number of cases (e.g., 279 cases) and the total results (e.g., 2,193 cases) for the selected filters.
- Case Table:
- A table listing cases with columns such as:
- Event Type: Type of event (e.g., Raw Packet).
- Source Asset: Source of the event.
- Destination Asset: Destination of the event.
- Rule: Applied rule.
- Source IP: Source IP address.
- Destination Port: Destination port.
- Time: Timestamp of the event.
- Raw Packet: A column with a clickable icon to view raw packet details (e.g., BSX525D9252F...).
- A table listing cases with columns such as:
- Notification Settings:
- A "Notification Settings" button at the top-right corner to configure alert preferences.
The items provided in the Case List may be modified in the future based on evolving requirements.
Case Filtering
- Dropdown Menu: Displays a list of available customers (e.g., SK Telecom, Samsung Electronics, KT&G, Ericsson, Coca Cola, General Electric, BMW).
- Action: Click the "Select a customer" dropdown to choose a customer, filtering the case list to show only cases related to the selected customer.
- Each customer is represented, indicating secure separation of data in the multi-tenant environment.
- The associated assets for the selected customer are displayed.
Case Details
- Case Information: The default tab, showing detailed case data.
- Case Management: A secondary tab for managing the case.
Case Information
- Event Type: The type of event
- Asset Type: The type of asset involved
- Asset No.: The asset identifier
- Timestamp: The date and time of the event
- System IP: The system IP address
- Origin Country: The country of origin
- Origin IP: The originating IP address
- Origin Port: The originating port
- Destination Country: The destination country
- Destination IP: The destination IP address (
- Destination Port: The destination port
- Remote IP: The remote IP address
Case Management
Case Management Procedure Table
| Step | Procedure | Description |
|---|---|---|
| 1 | Case Open | Initiates the case and assigns it to a user. |
| 2 | Initial Investigation | Conducts preliminary analysis of the incident. |
| 3 | Prioritization | Assigns a priority level to the case. |
| 4 | Analysis and Response | Performs detailed analysis and responds to the incident. |
| 5 | Containment and Mitigation | Implements measures to contain and mitigate the issue. |
| 6 | Recovery and Remediation | Restores systems and applies fixes to prevent recurrence. |
| 7 | Case Closure | Closes the case after resolution. |
| 8 | Post-Incident Review | Reviews the incident for lessons learned. |
Step 1. Case Open
- Assignee: The user assigned to handle the case (e.g., Bryan Ga).
- Event Type: The type of event (e.g., Traffic).
- Asset Type: The type of asset involved (e.g., Juniper).
- Asset No.: The asset identifier (e.g., 38697).
- Timestamp: The date and time the event occurred (e.g., 2024-09-30 10:57:59+09:00).
- System IP: The system IP address (e.g., 1.1.1.1).
- Severity Level: The severity of the case (e.g., Critical).
- Threat Classification: The threat level or classification (e.g., 9)
Step 2. Initial Investigation
- Evaluate the Case: Users are prompted to "Evaluate the case details and associated events to verify if it’s a legitimate threat incident and handle it accordingly."
- Event Information Access: Users can find detailed event information for the open case and related events in the "Case Information" tab of the Case Details popup.
- Check for Positive: Users must determine the legitimacy of the threat by selecting one of two options:
- Confirmed as True Positive: Indicates the incident is a confirmed threat.
- Confirmed as False Positive: Indicates the incident is not a threat (e.g., a false alarm).
- After completing the evaluation and selecting the appropriate "Check for Positive" option, users click the "Save Step" button to record their findings and proceed to the next step in the Case Management process.
Step 3. Prioritization
- Priority Evaluation: Users are informed that "Priority is evaluated based on the severity and impact of the event."
- Severity Level Selection: Users can select the severity level of the case from the following options:
- Critical: For incidents with severe impact requiring immediate action.
- High: For incidents with significant impact needing prompt attention.
- Moderate: For incidents with moderate impact that can be addressed in a standard timeframe.
- Low: For incidents with minimal impact that can be handled with lower urgency.
- After selecting the appropriate severity level (e.g., Critical, High, Moderate, or Low), users click the "Save Step" button to record the prioritization and proceed to the next step in the Case Management process.
Step 4. Analysis and Response
- Analyze the Threat: Users are prompted to "Analyze the root cause of the threat and identify the affected assets and scope."
- Further Analysis: If needed, users are advised to "conduct further analysis on related logs and events" to gain deeper insights into the incident.
- Document Findings: Users are required to "describe the analysis details thoroughly in the text-area below for reporting purposes." A text editor is provided to input detailed notes, with formatting options such as bold, italic, underline, alignment, lists, links, images, and emojis.
- Users enter their analysis details in the text area.
- After completing the analysis and documenting the findings, users click the "Save Step" button to record their work and proceed to the next step in the Case Management process.
Step 5. Containment and Mitigation
- Containment Measures: Users are advised to "perform containment measures or isolate network segments to minimize impact" if the attack is ongoing.
- Isolation and Blocking: Users are instructed to "temporarily isolate affected systems or apply security policies to block the attack, if needed."
- Document Actions: Users are required to "describe the analysis details thoroughly in the text-area below for reporting purposes." A text editor is provided to input detailed notes, with formatting options such as bold, italic, underline, alignment, lists, links, images, and emojis.
- Users document the containment and mitigation actions taken in the text area.
- After completing the actions and documenting the details, users click the "Save Step" button to record their work and proceed to the next step in the Case Management process.
Step 6. Recovery and Remediation
- Resolve and Restore: Users are instructed to "resolve the root cause and restore systems or networks to their normal operational state."
- Apply Security Measures: Users are advised to "apply security patches and remove malware from infected assets" to secure the environment.
- Document Actions: Users are required to "describe the analysis details thoroughly in the text-area below for reporting purposes." A text editor is provided to input detailed notes, with formatting options such as bold, italic, underline, alignment, lists, links, images, and emojis.
- Users document the recovery and remediation actions taken in the text area.
- After completing the actions and documenting the details, users click the "Save Step" button to record their work and proceed to the next step in the Case Management process.
Step 7. Case Closure
- Update Case Status: Users are instructed to "refer to the case status and use the button below to update it to ‘Closed’" once processing is complete.
- Prepare for Next Stage: Users are informed that "during the next stage, you will be able to document the response process and outcomes, and generate the final report."
- Document Details: Users are required to "describe the analysis details thoroughly in the text-area below for reporting purposes." A text editor is provided to input detailed notes, with formatting options such as bold, italic, underline, alignment, lists, links, images, and emojis.
- Users document the final details of the case resolution in the text area.
- After documenting the details, users click the "Closed" button to officially close the case and proceed to the final step in the Case Management process.
Step 8. Post-Incident Review
- Summarize Lessons Learned: Users are instructed to "summarize lessons learned from the response process and strengthen future security measures to better handle similar threats."
- Generate Final Report: Users are advised to "document the response and outcomes, click the ‘Generate Report’ button below and complete the final report."
- Document Details: Users are required to "describe the analysis details thoroughly in the text-area below for reporting purposes." A text editor is provided to input detailed notes, with formatting options such as bold, italic, underline, alignment, lists, links, images, and emojis.
- Users document the lessons learned and post-incident analysis in the text area.
- After documenting the details, users click the "Generate Report" button to compile the final report, concluding the Case Management process.
Report Generation
Notification Setting
Subscription Information
- Title: A text field to enter a custom title for the alert subscription.
- Type: Checkboxes to select the type of notifications:
- Notify on case opening: Sends an alert when a new case is created.
- Notify on case progress: Sends an alert when a case’s status is updated.
- Severity Level: Radio buttons to select the severity level of cases to be notified about.
- Assignee: Displays a list of users assigned to receive alerts, including:
- Name: The assignee’s name (e.g., Bryan Ga, Timo Choi, Jay Cho, Leonardo DiCaprio).
- Assigned Role: The role of the assignee (e.g., Administrator, Customer, Engineer).
- Email Address: The assignee’s email (e.g., markov01@markov.com).
- Actions: Options to "Change Assignee" (reassign to another user) or "Remove Entry" (delete the assignee from the list).
- Recipient: Displays a list of additional recipients for alerts, with similar details and actions as the Assignee section.
- Add to Entry: A button to add new assignees or recipients to the subscription list.
- Additional fields can be defined by users.
Subscription Note
Real-Time New Case Alert
Home Screen
Some features described below are currently in the prototype stage and are scheduled for future implementation.
Widgets
1. Traffic Widget
- Description: Displays real-time network traffic data over a selected time period (e.g., last 24 hours). The graph shows RX (receive) and TX (transmit) traffic in Mbps, with peaks and trends.
2. Site Overview
- Description: Shows a summary of the status sites.
3. Top5
- Description: Displays the top 5 sites ranked by network traffic
4. Case
- Description: Lists critical cases and their affected objects, and provides on pending critical cases
5. World Map(Map view)
- Description: Provides a global map view of locations, with lines indicating connectivity between sites (e.g., Munich, New York, San Francisco, Sao Paulo, Sydney).
6. Threat case trends
- Description: A line graph showing trends in threat cases over time. Categories include Critical, High, Medium, and Low, with data points indicating case counts.
7. Today's Case Distribution
- Description: A scatter plot visualizing the distribution of cases by severity (Critical, High, Medium, Low) over a 24-hour period. Each bubble represents a case, with size indicating the number of incidents (e.g., Critical: 207 cases).
8. Today's Case Summary
- Description: A pie chart summarizing the total cases for the day.
9. Case
- Description: A table shows that case-affected objects.
10. Network Summary Metrics
-
Topology:
- Total Topologies: Displays the total number of network topologies (e.g., 1).
- Total Intranet Hosts: Shows the total number of intranet hosts connected (e.g., 342).
- Total WAN: Indicates the total number of Wide Area Network (WAN) connections (e.g., 124).
- Total Bandwidth: Displays the total bandwidth capacity for both download (↓) and upload (↑) in Mbps (e.g., 16,000 Mbps for both).
- Subscription Bandwidth: Shows the subscribed bandwidth for both download (↓) and upload (↑) in Mbps (e.g., 16,000 Mbps for both).
- Total SmartWAN Policies: Lists the total number of SmartWAN policies in place (e.g., 31).
- Total SmartWAN Policies (Subscription): Indicates the number of subscribed SmartWAN policies (e.g., 237).
The widgets provided on the dashboard may be modified in the future based on evolving requirements.
Map Submenu
After logging in to the SmartWAN Portal, the Home screen displays the world map by default, featuring a world map in the "Map View." On the right side of the map, users can access additional options through the Map Submenu.
Filtering Sites by Country and Region
- Select Country & Region:
- Country: A dropdown menu to select a country (e.g., South Korea, USA, China, Germany, Japan).
- Region: A dropdown menu to select a region within the chosen country (e.g., USA > California).
- Site List:
- After applying the country and region filters, a list of sites within the selected area is displayed.
- The list includes columns such as:
- Site: Name of the site (e.g., Head Office, New York Branch).
- RX/TX (Mbps): Network traffic data for receive (RX) and transmit (TX) in Mbps.
- Critical Cases: Number of critical cases associated with the site.
- All Cases: Total number of cases for the site.
Overview
SmartWAN Portal
Report
Event Report
The Event Report menu can be found in the Report section of the left sidebar.
Event Report List
Event Report Details
Report Sections (Tabs) Table
| Tab Number | Section Name | Description |
|---|---|---|
| I | Overview | Provides a summary of the report, including title, ID, reporter, date, and analysis period. |
| II | Statistics | Displays statistical data related to the case, such as event counts and asset details. |
| III | Analysis | Details the analysis of the case, including root cause and impact assessment. |
| IV | Remediation | Outlines the remediation steps taken to resolve the incident. |
| V | Conclusion | Summarizes the outcomes and conclusions of the case response. |
| VI | Recommendations | Offers recommendations to prevent similar cases in the future. |
I. OverView
The Event Report Detail Screen under the "Overview" tab (I) includes the following items, each serving a specific purpose:
- Report Title: Indicates the main subject or focus of the report, providing a clear identifier for the incident or analysis.
- Report ID: A unique identifier assigned to the report for tracking and reference purposes within the system.
- Reported By: Identifies the user who generated the report, including their contact information for accountability and follow-up.
- Report Date: Specifies the date and time when the report was finalized, helping to establish a timeline for the incident response.
- Analysis Period: Defines the time range during which the incident was analyzed, providing context for the duration of the event and response efforts.
- Distribution Target: Lists the individuals, teams, or roles to whom the report is distributed, ensuring relevant stakeholders are informed.
- Summary: Offers a high-level overview of the incident, including key findings, the nature of the threat, and its impact, to provide a quick understanding of the situation.
- Related Elements: Presents statistical data in visual form (e.g., pie charts) to show the distribution of events by severity and the types of assets affected, aiding in understanding the scope and impact of the incident.
II. Statistics
This image displays a partial section of the complete report.
Statistics Report Summary
| Section | Purpose | Key Details |
|---|---|---|
| Threat Case Classification | Prioritizes security cases based on severity and urgency. | - Severity: Measures threat danger (Low/High). - Urgency: Measures response time needed (Low/High). - Matrix: Combines both (e.g., High Severity + High Urgency = Critical). |
| Distribution of Related Events | Visualizes how related security events spread across time/systems. | - Tracks event frequency and patterns. - Aids in identifying attack scope and hotspots. |
| List of Related Events | Groups events with shared attributes to uncover attack sequences. | Grouping Criteria: - Common Indicators: Shared IPs, users, devices. - Time Correlation: Events in close proximity. - Attack Patterns: Matches MITRE ATT&CK tactics. - Behavior Analysis: Suspicious chains (e.g., file execution → external connection). - Threat Intelligence: Matches known IOCs. |
Threat Case Classification Matrix
| Severity \ Urgency | Low Urgency | High Urgency |
|---|---|---|
| Low Severity | Minor threat; resolve later. | Less critical but needs prompt handling. |
| High Severity | Serious threat; no immediate action. | Critical; requires immediate response. |
Key Takeaways
-
Prioritization: Clear severity/urgency tiers streamline incident response.
-
Pattern Analysis: Distribution and event grouping reveal attack trends.
-
Correlation: Multi-criteria linking (time, behavior, IOCs) enhances threat detection.
III. Analysis
The Analysis tab (III) in the Event Report Detail Screen of the SmartWAN Portal provides in-depth threat pattern analysis, response effectiveness, and correlations between threat factors.
This image displays a partial section of the complete report.
Threat in Similar Case Occurrences and Responses
| Section | Purpose | Key Details |
|---|---|---|
| Threat in Similar Case Occurrences | Analyzes the frequency and severity of past security threats over a specified period. | - Tracks threat patterns (e.g., monthly trends). - Visualizes data to identify critical/high-risk periods. |
| Threat in Similar Case Responses | Evaluates the effectiveness of organizational responses to past threats. | - Assesses response strategies (e.g., speed, methods). - Identifies areas for improvement. |
Threat Factor Correlation Analysis
| Section | Purpose | Key Details |
|---|---|---|
| Threat Level Distribution of Related Factors | Maps the severity levels (Critical/High/Moderate/Low) of linked threat factors. | - Highlights high-risk elements (e.g., IPs, users). - Aids in prioritizing response actions. |
| Probability Distribution of Risk Levels | Quantifies the likelihood of each risk level occurring among correlated factors. | - Uses statistical analysis (e.g., "60% Moderate risk"). - Supports predictive threat assessment. |
Correlation Rules: Time-based or entity-based logic is applied to detect complex attack patterns.
Threat Scores: Calculated based on severity, context, and threat intelligence to guide decision-making.
IV. Remediation
Remediation tab (IV) in the Event Report Detail Screen of the SmartWAN Portal provides threat mitigation actions, including detection, containment, recovery, and preventive measures for resolved security cases.
Remediation Report Section
| Section | Purpose | Explanation |
|---|---|---|
| Detection of Malicious Traffic | Identify and analyze suspicious network activities | Uses SIEM/IDS to detect anomalies like port scanning or unusual connections. |
| Multiple Failed Login Attempts | Prevent brute-force attacks and unauthorized access | Monitors repeated login failures, locks accounts, blocks suspicious IPs, and enforces stronger authentication (e.g., MFA). |
| Detection of Abnormal File Access | Protect sensitive data from unauthorized access or exfiltration | Alerts on unusual file access patterns (e.g., mass downloads). Includes user verification and role-based access reviews. |
| Execution of Unauthorized Applications | Block potentially harmful software execution | Detects unapproved apps (e.g., TeamViewer), terminates processes, and enforces app control policies (e.g., allowlisting). |
V. Conclusion
The Conclusion tab (V) in the Event Report Detail Screen of the SmartWAN Portal provides a synthesis of key findings about cases and indicators of attack.
Section Overview
| Section | Purpose | Explanation |
|---|---|---|
| Conclusion | To synthesize key findings about cases. | Provides a high-level analysis of similarities in attack methods (e.g., code reuse, C2 communication) to link incidents to known threat actors or campaigns. Helps analysts identify operational patterns. |
| Indicator of Attack | To map observed tactics to standardized frameworks for threat categorization and response planning. | Aligns attack techniques (e.g., spearphishing, steganography) with MITRE ATT&CK tactics (e.g., T1566.001). Enables defenders to prioritize mitigations based on proven threat models. |
VI. Recommendations
A sample PDF file of the Event Report described in this guide is available for download. You can access the full report, including all sections (Overview, Statistics, Analysis, Remediation, Conclusion, and Recommendations).
Sample PDF download: ANRN-00936.pdf (APPEX Networks user only)